13

I have recently set up a RADIUS server with EAP for my wireless router, however, I have some questions about the key size and how WPA2 enterprise (AES) works in general.

I have read that in Enterprise mode, the key used to encrypt the traffic between the wireless AP and the devices connected to it is randomly generated and expires each time a user connects/reconnects. I also know that in WPA2-PSK, the maximum key length is 256-bits.

However, I have not been able to find any place that tells me where the key generation for WPA2 enterprise takes place, and which device has the burden of generation and negotiating that random key. Is the key generated by the AP? is it generated by the RADIUS server? what is the length of the encryption key?

Also, is there a way to actually check to see if the traffic is encrypted?

Thanks!

2 Answers2

11

You are correct in thinking that each session uses a set of psuedo-randomly generated keys. If the network is set up to use a Pre-Shared Key (PSK) then the process works as follows:

  • The connecting device makes itself known to the Access Point (AP).
  • The AP sends a psuedo-randomly generated nonce to the device (as plaintext).
  • The device generates its own psuedo-random nonce.
  • The device then uses these two nonces, the MAC address of the AP, the MAC address of the device, and the PSK as input to a cryptographic hash function, to create a block of keying information called the Pairwise Temporal Key (PTK) which is 64 bytes, or 512 bits in length.
  • This PTK is cut up to produce 5 separate session keys. The Key Confirmation Key (KCK) is 128 bits long, the Key Encryption Key (KEK), 128 bits, the Temporal Key (TK) 128 bits, and two shorter keys Rx and Tx used for providing Messsage Authentication Codes (MACs), both 64 bits long.
  • The device now responds to the AP with its own nonce, concatenated with a hash of the AP's nonce it received and the KCK.
  • The AP derives the same PTK and session keys as the device as it now holds the same input information (nonces, PSK, the MAC addresses). It can then hash its own nonce with the derived KCK and check it against the received one. This confirms that the device shares the PSK and the device is now authenticated to the AP.
  • The AP responds to the device with a hash of the device's nonce using the KCK and a sequence number to prevent replays of previous messages by an active attacker.
  • The device checks the received hash of its own nonce against the expected result (with the KCK), and if they match the AP is authenticated to the device.
  • The device responds with an acknowledgement of receipt, and the handshake is complete.

From this point onward, messages between the AP and device are encrypted using AES with the TK derived by both devices. The Rx is used to create MACs on messages sent by the device, and the Tx is used to create MACs on messages sent by the AP.

Note that the use of the KEK is not mentioned. I'm not entirely sure on its use, but I assume it was added to the standard to allow for implementation specific extensions to the authentication handshake.

This answer might be more theoretical than you were looking for but I hope it helps.

mckiethanks
  • 556
  • 3
  • 12
  • Welcome to SEC:SE; very nice answer, and well worth the traditional +1 as recognition of your arrival. – MCW Dec 11 '12 at 12:52
  • 1
    First of all, great response. But sadly it doesn't really answer Dan's question. You explained perfectly how WPA2-PSK works, but how does it work in the Enterprise version? Where you do not have the PSK (and without it, any eavesdropper can generate the encryption key on his own). – Dig Sep 12 '15 at 17:00
  • Isn't KEK stored in `MIC₂` that stores GTK encrypted with KEK key (`MIC₂ = PBKDF2(KCK, HMAC-SHA-1, r+1 || ANonce || Eₖₑₖ(GTK))`)? MIC₂ is then shared in `EAPOL Message 3`. – Faither Jun 15 '22 at 04:24
4

As an addition to mckiethanks answer, KEK is used to encrypt the GTK (Group Temporal Key), I believe.

This Group Temporal Key is used to encrypt the broadcast and multicast traffic between the AP and the STA. This key is transmitted from the AP to the STA during the 4-way handshake and, obviously, it has to be encrypted. Hence, this KEK is used to encrypt this key for a secure transmission.

elena
  • 181
  • 3